5 Ways to Spot a Phishing Scheme

Since 2015, cybercriminals and hackers have relied on social engineering techniques – such as phishing email schemes -- as their primary exploit for bypassing cybersecurity.

These techniques, rather than relying on coding prowess or technical knowledge, use deception and human gullibility to penetrate otherwise secure networks by having the recipient either provide their legitimate login credentials (which the criminal can then use) or install malicious code on the criminal’s behalf.

In its 2016 Data Breach Investigations Report, Verizon Enterprise reported that 30 percent of phishing emails were opened by the target, who did so within an average of one minute and 40 seconds. Of even greater concern, 12 percent of users clicked on the malicious attachment or link that the email contained, doing so within three minutes and 45 seconds on average.

More than likely, you’ve heard of the most famous example of a phishing email – the Nigerian Prince scam. By simply providing the sender with your social security number as well as some trivial banking information, you can receive a handsome reward for simply "safeguarding" some foreign funds.

Of course, your students and faculty are probably too savvy to fall for such an obvious ploy these days; however, criminals have grown more savvy as well.

Scammers now troll through Facebook profiles and other social media to create targeted “spear phishing” messages that mention the target by name and use other personal facts to lend an air of legitimacy to the exchange.

And by sending the phishing message directly through social media, scammers can now bypass most of the security measures and email filtering tools that have been set up on your campus.

While there is no sure-fire method to identify a phishing email every time, there are a number of common traits that you will often find.

A Phishing Message Will Typically…

1. Be poorly written

Most communication that comes from a government office or professional business will have passed through the hands of an editor or legal department where spelling and grammar would have been reviewed.

By contrast, many of these phishing attempts originate from overseas, where English is not the primary language, so frequent spelling and grammar mistakes within an email – particularly one requesting information or financial payments – should be suspect.

2. Ask for personal information

If a message asks you to provide your personal identification information or general account information, you should be suspect. Any bank or financial institution that interacts with your campus, faculty, or students will already have their information (including account numbers and social security numbers) on file. Similarly, no legitimate business will need you to send your login and password information in an email or social media message.

3. Contain a mismatched web address

A common technique used by scammers is to embed a web link in an email that appears to be legitimate but that actually leads to a harmful site. For example, the text of the link will read: legitcompany.com. However, when you click the link, it will actually direct you to scammersparadise.com instead.

An easy way to tell if a URL is legitimate is to hover your mouse over the link without clicking it. Most email programs will notify you either via a popup or at the bottom of the screen what the actual target of the URL is. If these do not match, you likely have a phishing email.

4. Use misleading URLs

Another trick commonly used is to take advantage of how little attention most people pay to URLs. For example, login.legitcompany.com would be a URL that would take you to the legitimate company that your campus commonly interacts with. However, login.legitcompany.com.scammersparadise.com would direct you to a fake site intended to steal your login information.

The key is to look at the text immediately to the left of the farthest right “.com” (or .org, .edu, etc.). That text will identify the site that the link actually directs to.

5. Have a sense of urgency

Critical thought is one of the primary enemies of a social engineering attack, so most criminals will place strict time limits in their phishing messages. The missive will either threaten a penalty – such as shutting down an account or levying a fine – or offer a limited time reward that needs to be acted on immediately before you have time to think.

Conclusion

Having a knowledgeable, well-informed faculty and student body is critical to frustrating phishing attempts on your campus. Unsurprisingly, education is key, and a sound training program can empower your staff to play a role in campus cybersecurity.

If you would like to learn more about how Campus Answers could help your school to promote data security awareness on your campus, you can fill out the form on the right to request a demo of our services.